Skip to content

SSLChecker is used to identify obsolete versions of SSL/TLS (e.g., SSL 3.0, and TLS 1.0) on an endpoint, or perform a full scan to identify all supported versions of SSL/TLS on an endpoint.

License

Notifications You must be signed in to change notification settings

tdensmore/SSLChecker

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SSLChecker

Overview

SSLChecker is a serverless API written in Python and running on Azure Functions. The API is based on Alban Diquet's SSLyze library. SSLChecker is used to identify obsolete versions of SSL/TLS (e.g., SSL 3.0, and TLS 1.0) on an endpoint, or perform a full scan to identify all supported versions of SSL/TLS on an endpoint.

Pre-requisites

Development - To set up a local development environment, follow the guidance from Microsoft here.

Deployment - As part of the above setup, you will be able to deploy to Azure using the azure-cli. Additionally, Azure DevOps or another CI/CD tool is capable of deploying to Azure.

Usage

Invoke the function on the command line using curl:

curl http://<functionname>.azurewebsite.net/api/{scan:alpha}/{view:alpha}/{name}

There are three parts to pass to the URI: scan, view, and name.

"scan" is the type of scan: policy or full. Currently, the default policy prohibits using SSL 2.0/3.0 and TLS 1.0, so the policy scan will identify which unsupported ciphers are in use, if any. A full scan will report back all supported ciphers. In a future release I will make this configurable.

Since corporations often use split-view DNS, "view" in this context is the network viewpoint you want to scan, either internal or external. This is accomplished by specifying a valid DNS server to use for name resolution. The default value for external will use OpenDNS (e.g. 208.67.222.222). The default for internal will be 0.0.0.0 and will result in an error if a scan is attempted and no internal DNS server is specified.

"name" should be the DNS domain name you would like to scan (i.e., github.com).

A Note on Authentication

Microsoft has extensive documentation on how to secure an HTTP endpoint in Azure Functions here. There are two main ways to secure a function: Turn on App Service Authentication/Authorization for the function app, or use Azure API Management (APIM) to authenticate requests. Additionally, Azure functions support API key authorization that you can supply either as a query string variable or in a HTTP header. Microsoft states that API key authorization is not intended as a way to secure an HTTP trigger in production

By default, I have set the authLevel in the function.json file to anonymous. Please note, when running functions locally, authorization is disabled regardless of the specified authorization level.

If you plan on running SSLChecker on the internet, please consider one of the above options for authentication.

Feedback

Send me mail at [email protected]

About

SSLChecker is used to identify obsolete versions of SSL/TLS (e.g., SSL 3.0, and TLS 1.0) on an endpoint, or perform a full scan to identify all supported versions of SSL/TLS on an endpoint.

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 100.0%